Prevention vs mitigation

In the bow-tie model, where you place a measure determines what it does. Prevention measures reduce the probability of a risk. Mitigation measures reduce the impact if the risk occurs. Understanding this distinction is essential for accurate risk scoring.

Prevention measures

Prevention measures attach to the connection between a cause and the risk event. They sit on the left side of the bow-tie diagram. Their goal is to stop the risk from happening in the first place by reducing its probability.

How prevention works

Each prevention measure reduces the probability score on that specific cause-to-risk pathway. Multiple prevention measures on the same connection combine for a greater reduction.

Example:
Cause: Supplier bankruptcy
Measure: Maintain qualified backup suppliers
Result: Reduces likelihood of supply disruption

Mitigation measures

Mitigation measures attach to the connection between the risk event and an effect. They sit on the right side of the bow-tie diagram. Their goal is to limit the damage if the risk does occur.

How mitigation works

Each mitigation measure reduces the impact score on that specific risk-to-effect pathway. You can stack multiple mitigation measures on one connection line for layered protection.

Example:
Risk: Data center failure
Measure: Automated failover to backup site
Result: Reduces downtime impact on customers

Why placement matters

Accurate risk calculation

By placing measures on specific connections, Risk Companion can calculate exactly how each measure affects the overall risk score. Prevention measures reduce probability scores. Mitigation measures reduce impact scores. This granular approach keeps your risk calculations accurate and meaningful.

You can see all your measures in context on the bow-tie diagram, where prevention measures appear on the left and mitigation measures on the right.

Writing effective measures

A well-written measure is specific, actionable, and verifiable. Follow these guidelines to get the most out of your risk management efforts.

Do
  • Use action verbs: implement, install, train, review
  • Be specific about what will be done and by whom
  • Make measures measurable and verifiable
  • Set realistic timelines the owner can meet
  • Link each measure to a specific cause or effect
Avoid
  • Vague phrasing like "improve quality"
  • Measures without a clear owner
  • Unrealistic timelines or scope
  • Duplicate measures across similar risks
  • Measures that cannot be verified as complete

Example comparison

Weak measure

"Improve supplier relationships"

Strong measure

"Conduct quarterly business reviews with top 5 suppliers including performance scorecards"

See also

Status & effectivenessDashboard types